The Vollgar botnet has been active since at least May 2018, the researchers say. Its operators use a combination of remote access tools and brute-force methods to infect vulnerable Microsoft SQL Server databases with malware, according to their new report. This botnet can infected up to 3,000 SQL Server databases each day.

The #Vollgar attack campaign has been operating under the radar for ~2 years, brute forcing MS-SQL servers on the internet. With 2-3k servers infected daily, the attacker deploys powerful RATs and mines two cryptocurrencies. More in @Guardicore Labs blog: https://t.co/ZkmIAYPBy2

The Vollgar botnet has targeted organizations in several sectors, including healthcare, aviation, IT, telecommunications and higher education, over the last two years, says Ophir Harpaz, a cybersecurity researcher at Guardicore Labs. Attacks have occurred in the U.S., China, India, South Korea and Turkey, he adds.

And while the botnet's activity peaked in December 2019, it remains active. When the botnet is removed from a SQL Server database, its operators find new databases to infect due to the large-scale brute-force attack methods used to guess usernames and passwords, Harpaz says.

In addition to seeking out the valuable CPU power that the devices running Microsoft SQL Server databases offer, Harpaz believes the operators of Vollgar are seeking valuable content in databases, such as usernames, passwords and credit card numbers.

"A botnet like Vollgar can be very profitable," Harpaz tells Information Security Media Group. "First of all, it targets [Microsoft] SQL database servers, which may hold valuable data that other attack groups are interested in. In addition, access to data center networks can be worth a lot, depending on the victim's network and domain."

Vollgar Capabilities

In their report, the Guardicore researchers note that after the Vollgar botnet has infected a Microsoft SQL Server database through a brute-force attack, it attempts to install backdoors within the database. The report also notes that these backdoors are used to plant the cryptominers as well as install remote access tools.

These malicious tools then give the botnet operators full control of the server, which then allows them to exfiltrate data, run an interactive terminal and install malicious Windows services as well as key-logging and other functions, the report notes.

These botnet infections, however, are short-lived. In about 60 percent of the cases, the attack only lasts for about two days, according to the report. But some attacks can last one to two weeks, which could mean Vollgar disguises itself to hide from anti-virus software or the database owner does not have proper security features in place, the report notes.

In about 10 percent cases, Guardicore observed, Vollgar managed to re-infect a SQL Server database after it has been removed.

The botnet also attempts to eliminate other competing malware from infected servers, the researchers determined.

"There is a vast number of attacks targeting MS-SQL Servers. However, there are only about half-a-million machines running this database service," Harpaz says. "This relatively small number of potential victims triggers an inter-group competition over control and resources; these virtual fights can be seen in many of the recent mass-scale attacks."

Origins in China?

While it's not clear where the operators of Vollgar reside, the Guardicore report notes that these attacks originate from more than 120 IP addresses, the majority of which are located in China.

Vollgar's main command-and-control server is located in a SQL database housed in China, the researchers say. This server has also been infected with backdoors and other malware from other attacks groups. "Nevertheless, the machine was 'business as usual,' running the database service as well as benign background processes," according to the report.

Guardicore created a GitHub repository to help database administrators determine if their Microsoft SQL Server databases have been infected with Vollgar.

About the Author

Venkat is special correspondent for Information Security Media Group's global news desk. She has previously worked at companies such as IDG and Business Standard where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news and education.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.